Abstract

Commodity operating systems entrusted with securing sensitive data are
remarkably large and complex, and consequently, frequently prone to
compromise. To address this limitation, we introduce a
virtual-machine-based system called Overshadow that protects the privacy
and integrity of application data, even in the event of a total OS
compromise. Overshadow presents an application with a normal view of its
resources, but the OS with an encrypted view. This allows the operating
system to carry out the complex task of managing an application's
resources, without allowing it to read or modify them. Thus, Overshadow
offers a last line of defense for application data.

Overshadow builds on multi-shadowing, a novel mechanism that
presents different views of “physical” memory, depending on
the context performing the access. This primitive offers an additional
dimension of protection beyond the hierarchical protection domains
implemented by traditional operating systems and processor architectures.

We present the design and implementation of Overshadow and show how its
new protection semantics can be integrated with existing systems. Our
design has been fully implemented and used to protect a wide range of
unmodified legacy applications running on an unmodified Linux operating
system. We evaluate the performance of our implementation, demonstrating
that this approach is practical.